Documente Academic
Documente Profesional
Documente Cultură
R80.10
Administration Guide
Classification: [Protected]
© 2017 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access
VPN R80.10 Administration Guide.
Revision History
Date Description
18 September 2017 Addition of CLI commands ("VPN CLI Commands" on page 163).
SmartConsole Toolbars
For a guided tour of SmartConsole, click What's New in the left bottom corner of SmartConsole.
Manage & Settings view - review and configure the Security Management
Server settings
Ctrl+4
Connected The administrators that are connected to the Security Management Server
Users
IPsec VPN
The IPsec VPN solution lets the Security Gateway encrypt and decrypt traffic to and from other
gateways and clients. Use SmartConsole to easily configure VPN connections between Security
Gateways and remote devices.
For Site to Site Communities, you can configure Star and Mesh topologies for VPN networks, and
include third-party gateways.
The VPN tunnel guarantees:
• Authenticity - Uses standard authentication methods
• Privacy - All VPN data is encrypted
• Integrity - Uses industry-standard integrity assurance methods
The Check Point IPsec VPN Software Blade provides these VPN connectivity modes to help
organizations resolve those challenges:
• Office Mode
Remote users can be assigned the same or non-routable IP addresses from the local ISP.
Office Mode solves these routing problems and encapsulates the IP packets with an available
IP address from the internal network. Remote users can send traffic as if they are in the office
and avoid VPN routing problems.
• Visitor Mode
Remote users can be restricted to using only HTTP and HTTPS protocols. Visitor Mode lets
these users tunnel all protocols through regular TCP connections on port 443.
Install policy
VPN Components
VPN is composed of:
• VPN endpoints, such as Security Gateways, Security Gateway clusters, or remote clients (such
as laptop computers or mobile phones) that communicate using a VPN.
• VPN trust entities, such as a Check Point Internal Certificate Authority (ICA). The ICA is part of
the Check Point suite used for creating SIC trusted connection between Security Gateways,
authenticating administrators and third party servers. The ICA provides certificates for internal
Security Gateways and remote access clients which negotiate the VPN link.
• VPN Management tools, such as Security Management Server and SmartDashboard.
SmartDashboard is the SmartConsole used to access the Security Management Server. The
VPN Manager is part of SmartDashboard. SmartDashboard enables organizations to define
and deploy Intranet, and remote Access VPNs.
Item Description
1 Host1. Part of VPN Site 1.
3 Internet
4 Remote Client
In the figure, the remote user initiates a connection to Security Gateway 1. User management is
not performed via the VPN database, but by LDAP server belonging to VPN Site 2. Authentication
takes place during the IKE negotiation. Security Gateway 1 verifies that the user exists by querying
the LDAP server behind Security Gateway 2. After the user's existence is verified, the Security
Gateway authenticates the user, for example by validating the user's certificate. After IKE is
successfully completed, a tunnel is created and the remote client connects to Host 1.
If the client is behind the Security Gateway (for example, if the user accesses the corporate LAN
from a company office), connections from the client to destinations that are also behind the LAN
Security Gateway are not encrypted.
Examples:
• This rule allows traffic from all VPN Communities to the internal network on all services:
Name Source Destination VPN Services &
Applications
Allow all remote * Any Internal_Network * Any * Any
access
• This rule allows traffic from RemoteAcccess VPN Community to the internal network on HTTP
and HTTPS.
Name Source Destination VPN Services &
Applications
Allow * Any Internal_Network RemoteAccess HTTP
RemoteAccess HTTPS
community
• This rule allows traffic from RemoteAcccess VPN Community to the internal network on all
services when the traffic starts from the Endpoint Security VPN client.
See Access Roles for Remote Access (on page 30) for details of how to create Access Roles for
Remote Access and VPN Clients to include them in rules in the Access Control Rule Base.
Types of Solutions
All of Check Point's Remote Access solutions provide:
• Enterprise-grade, secure connectivity to corporate resources.
• Strong user authentication.
• Granular access control.
Factors to consider when choosing remote access solutions for your organization:
• Client-Based vs. Clientless - Does the solution require a Check Point client to be installed on
the endpoint computer or is it clientless, for which only a web browser is required. You might
need multiple solutions within your organization to meet different needs.
• Secure Connectivity and Endpoint Security - Which capabilities does the solution include?
• Secure Connectivity - Traffic is encrypted between the client and VPN gateway. After users
authenticate, they can access the corporate resources that are permitted to them in the
access policy. All Check Point solutions supply this.
• Endpoint Security - Endpoint computers are protected at all times, even when there is no
connectivity to the corporate network. Some Check Point solutions supply this.
• Clientless - Users connect through a web browser and use HTTPS connections. Clientless
solutions usually supply access to web-based corporate resources.
• On demand client - Users connect through a web browser and a client is installed when
necessary. The client supplies access to most types of corporate resources according to the
access privileges of the user.
SSL VPN Portal and Supported Client or Encryption Security Desktop IPv6
Clients Operating Clientless Protocol Verification Firewall Support
Systems for Endpoint on
Devices Endpoint
Devices
Mobile Access Web Windows, Clientless SSL
Portal Linux, Mac
R77.10
OS, iOS,
and
Android
higher
Required Licenses - The IPsec VPN Software Blade on the gateway, an Endpoint Container
license, and an Endpoint VPN Software Blade license on the Security Management Server.
Supported Platforms - Windows
Where to Get the Client - Check Point Support Center - sk67820
http://supportcontent.checkpoint.com/solutions?id=sk67820.
Note - Endpoint Security VPN on Mac OS X includes a Desktop Firewall but not Security
Verification.
SecuRemote
SecuRemote is a secure, but limited-function IPsec VPN client. It provides secure connectivity.
Required Licenses - IPsec VPN Software Blade on the gateway. It is a free client and does not
require additional licenses.
Supported Platforms - Windows
Where to Get the Client - Check Point Support Center - sk67820
http://supportcontent.checkpoint.com/solutions?id=sk67820.
Remote Access VPN Administration Guide R80.10 | 28
CHAPTE R 4
3. On the Participating Gateways page, click the Add button and select the Security Gateways
that are in the Remote Access Community.
4. On the Participating User Groups page, click the Add button and select the group that contains
the Remote Access users.
5. Click OK.
6. Publish the changes.
3. Optional: Enter a Comment or click the down arrow to select a Color for the object.
4. From the left pane, select Remote Access Clients.
5. Expand the Specific Client list and click New > Allowed client.
6. Click to select a client and enter an object name.
7. Click OK.
8. Optional: To make the Access Role include only specified users, select Users from the left
pane and define the allowed users.
9. Click OK.
The administrator can also initiate a certificate generation on the ICA management tool. It is also
possible to use third-party Certificate Authorities to create certificates for authentication between
Security Gateways and remote users. The supported certificate formats are PKCS#12, CAPI, and
Entrust.
Users can also be given a hardware token for storing certificates. This option offers the advantage
of higher level of security, since the private key resides only on the hardware token.
As part of the certificate validation process during the IKE negotiation, both the client and the
Security Gateway check the peer's certificate against the Certificate Revocation List (CRL)
published by the CA which issued the certificate. If the client is unable to retrieve a CRL, the
Security Gateway retrieves the CRL on the client's behalf and transfers the CRL to the client
during the IKE negotiation (the CRL is digitally signed by the CA for security).
Pre-Shared Secret
This authentication method has the advantage of simplicity, but it is less secure than certificates.
Both parties agree upon a password before establishing the VPN. The password is exchanged
"out-of-band", and reused multiple times. During the authentication process, both the client and
Security Gateway verify that the other party knows the agreed-upon password.
Each configured login option is a global object that can be used with multiple gateways and the
Mobile Access and IPsec VPNSoftware Blades.
To let newer clients connect to the gateway with the authentication settings defined
for older clients:
Select Allow newer client that support Multiple Login options to use this authentication method.
5. Click Customize to change the description of fields that are shown to users in the Connect
window. See Customize Display Settings (on page 37).
6. Click OK.
7. Click OK.
8. Install policy on the gateway.
You can configure DynamicID for older clients manually in GuiDBedit. See sk86240
http://supportcontent.checkpoint.com/solutions?id=sk86240.
Certificate Parsing
When you select Personal Certificate as a Login option, you can also configure what information
the gateway sends to the LDAP server to parse the certificate. The default is the DN. You can
configure the settings to use the user's email address or a serial number instead.
Configuring DynamicID
Basic DynamicID configuration is shown here. For Advanced configuration options, see the Mobile
Access Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=53103.
DynamicID Settings
This table explains parameters used in the SMS Provider and Email Settings field. The value of
these parameters is automatically used when sending the SMS or email.
Parameter Meaning
$APIID The value of this parameter is the API ID.
$USERNAME The value of this parameter is the username for the SMS provider.
$PASSWORD The value of this parameter is the password for the SMS provider.
$PHONE User phone number, as found in Active Directory or in the local file on
the gateway, including digits only and without a + sign.
$EMAIL The email address of the user as found in Active Directory or in the
local SmsPhones.lst file on the gateway. If the email address should
be different than the listed one, it can be written explicitly.
$MESSAGE The value of this parameter is the message configured in the Advanced
Two-Factor Authentication Configuration Options in SmartDashboard.
When a user attempts to authenticate to a protected resource, that one-time-use code must
be validated by the ACE/Server.
When employing SecurID as an authentication scheme, the Security Gateway forwards
authentication requests by remote users to the ACE/Server. ACE manages the database of RSA
users and their assigned hard or soft tokens. The VPN module acts as an ACE/Agent 5.0, which
means that it directs all access requests to the RSA ACE/Server for authentication. For agent
configuration see ACE/Server documentation.
The differences between user management on the internal database, and User Directory:
• User Directory is done externally and not locally.
• If you change User Directory templates the change is applied to users dynamically,
immediately.
Revoking Certificates
The way in which certificates are revoked depends on whether they are managed internally or
externally, using LDAP.
10. In Global Properties > Authentication window, add or disable suffix matching.
For users with certificates, it is possible to specify that only certificates with a specified suffix
in their DN are accepted. This feature is enabled by default, and is required only if:
• Users are defined in the internal database, and
• The user names are not the full DN.
All certificates DN's are checked against this suffix.
Note - If an hierarchy of Certificate Authorities is used, the chain certificate of the user
must reach the same root CA that the Security Gateway trusts.
To associate one or more Radius servers to a gateway, run this dbedit command:
modify network_objects <gateway obj> radius_server servers:<radius obj>
To configure RADIUS authentication settings for users with Security Gateway user
accounts:
1. Create new internal user profile for each user. In SmartConsole, click Objects > New > More >
User > User.
The User Properties window opens.
2. In the General Properties tab, configure these settings:
• Enter a User Name for the RADIUS server.
• Set the Expiration Date.
3. In the Authentication tab, configure these settings:
• Select RADIUS from the Authentication method list
• From the RADIUS Server list, select the RADIUS object that you configured earlier
4. Click OK.
To configure RADIUS authentication settings for users without Security Gateway user
accounts:
Create a new external user profile for each user in SmartDashboard, which opens from
SmartConsole.
1. Open SmartDashboard:
a) In SmartConsole, go to the Manage & Settings tab.
b) Click Blades .
c) Click one of the links for Configure in >SmartDashboard.
2. From the Network object tree, click the Users icon.
3. Right-click External User Profiles and select New External User Profile > Match all users (or
Match by domain).
If you support more than one external authentication scheme, set up External User Profiles
with the Match By Domain setting.
The External User Profile Properties window opens.
4. In the General Properties tab, configure these settings:
• Enter a User Name for the RADIUS server. (When configuring Match all users as an
External User Profile, the name "generic*" is automatically assigned)
• Set the Expiration Date.
5. In the Authentication tab, configure these settings:
• Select RADIUS from the Authentication Scheme list.
• From the Select a RADIUS Server or Group of Servers list, select the RADIUS object that
you configured earlier
6. Click OK.
7. Close SmartDashboard.
8. Install policy in SmartConsole.
The newer format resembles a credit card, and displays the tokencode, time bars and a numeric
pad for typing in the PIN number. This type of device mixes the tokencode with the entered PIN
number to create a Passcode. The client requests only the passcode.
SoftID operates the same as the passcode device but consists only of software that sits on the
desktop.
The Advanced view displays the tokencode and passcode with COPY buttons, allowing the user to
cut and paste between softID and the client:
Office Mode
In This Section:
The Need for Remote Clients to be Part of the LAN...................................................51
Office Mode ...................................................................................................................52
How Office Mode Works ...............................................................................................52
Assigning IP Addresses ................................................................................................54
IP Address Lease duration ...........................................................................................55
Using Name Resolution - WINS and DNS ...................................................................55
Anti-Spoofing ................................................................................................................55
Using Office Mode with Multiple External Interfaces .................................................56
Office Mode Per Site .....................................................................................................56
Enabling IP Address per User ......................................................................................57
Office Mode Considerations .........................................................................................59
Configuring Office Mode ...............................................................................................60
Office Mode
Office Mode enables a Security Gateway to assign a remote client an IP address. The assignment
takes place once the user connects and authenticates. The assignment lease is renewed as long
as the user is connected. The address may be taken either from a general IP address pool, or
from an IP address pool specified per user group. The address can be specified per user, or via a
DHCP server, enabling the use of a name resolution service. With DNS name resolution, it is
easier to access the client from within the corporate network.
It is possible to allow all your users to use Office Mode, or to enable the feature for a specific
group of users. This can be used, for example, to allow privileged access to a certain group of
users (e.g., administrators accessing the LAN from remote stations). It is also useful in early
integration stages of Office Mode, allowing you time to "pilot" this feature on a specific group of
users, while the rest of the users continue to work in the traditional way.
Office Mode is supported with the following:
• Endpoint Security VPN
• SSL Network Extender
• Crypto
• L2TP
Note - A remote user with SecuRemote client only is not supported in Office Mode.
A Closer Look
The following steps illustrate the process taking place when a remote user connected through
Office Mode wishes to exchange some information with resources inside the organization:
• The user is trying to connect to some resource on the LAN, thus a packet destined for the
internal network is to be sent. This packet is routed through the virtual interface that Office
Mode had set up, and bears the source IP address allocated for the remote user.
Remote Access VPN Administration Guide R80.10 | 52
Office Mode
• The packet is encrypted and builds a new encapsulating IP header for it. The source IP of the
encapsulating packet is the remote client's original IP address, and its destination is the IP
address of the Security Gateway. The encapsulated packet is then sent to the organization
through the Internet.
• The Security Gateway of the organization receives the packet, decapsulates and decrypts it,
revealing the original packet, which bears the source IP allocated for the remote user. The
Security Gateway then forwards the decapsulated packet to its destination.
• The internal resource gets a packet seemingly coming from an internal address. It processes
the packet and sends response packets back to the remote user. These packets are routed
back to the (internal) IP address assigned to the remote user.
• The Security Gateway gets the packet, encrypts and encapsulates it with the remote users'
original (routable) IP address and returns the packet back to the remote user:
Item Description
1 Host IP Address 10.0.01
2 Server
3 Gateway
4 Internet
5 ISP Router
6 User's machine
• The remote host uses the Office mode address in the encapsulated packet and 10.0.0.1 in the
encapsulating header.
• The packet is NATed to the new source address: 192.168.17.5
• The Security Gateway decapsulates the NATed IP address and decrypts the packet. The source
IP address is the Office Mode address.
• The packet is forwarded to the internal server, which replies correctly.
Assigning IP Addresses
The internal IP addresses assigned by the Security Gateway to the remote user can be allocated
using one of the following methods:
• IP Pool
• DHCP Server
IP Pool
The System Administrator designates a range of IP addresses to be utilized for remote client
machines. Each client requesting to connect in Office Mode is provided with a unique IP address
from the pool.
DHCP Server
A Dynamic Host Configuration Protocol (DHCP) server can be used to allocate IP addresses for
Office Mode clients. When a remote user connects to the Security Gateway using Office Mode, the
Security Gateway requests the DHCP server to assign the user an IP address from a range of IP
addresses designated for Office Mode users.
Security Gateway DHCP requests can contain various client attributes that allow DHCP clients to
differentiate themselves. The attributes are pre-configured on the client side operating system,
and can be used by different DHCP servers in the process of distributing IP addresses. Security
Gateways DHCP request can contain the following attributes:
• Host Name
• Fully Qualified Domain Name (FQDN)
• Vendor Class
• User Class
RADIUS Server
A RADIUS server can be used for authenticating remote users. When a remote user connects to a
Security Gateway, the username and password are passed on to the RADIUS server, which checks
that the information is correct, and authenticates the user. The RADIUS server can also be
configured to allocate IP addresses.
Anti-Spoofing
With Anti-Spoofing, a network administrator configures which IP addresses are expected on each
interface of the Security Gateway. Anti-Spoofing ensures IP addresses are only received or
transmitted in the context of their respective Security Gateway interfaces. Office Mode poses a
problem to the Anti-Spoofing feature, since a client machine can connect and authenticate
through several interfaces, e.g. the external interface to the Internet, or the wireless LAN
interface; thus an Office Mode IP address may be encountered on more than one interface. Office
Mode enhances Anti-Spoofing by making sure an encountered Office Mode IP address is indeed
assigned to the user, authenticated on the source IP address on the IPsec encapsulating packet,
i.e. the external IP.
Note - When Office Mode per Site is activated, Office Mode Anti-Spoofing is not
enforced.
In this scenario:
Item Description
1 Security Gateway 1
2 VPN Domain A
3 Internet
4 Remote Host
5 Security Gateway 2
6 VPN Domain B
Note - If this feature is implemented, you must enable Anti-Spoofing for Office Mode
(see "Anti-Spoofing" on page 55).
DHCP Server
To configure Office Mode addresses that are allocated by a DHCP server:
1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The gateway window opens and shows the General Properties page.
2. From the navigation tree, click VPN Clients > Office Mode.
3. Enable Office Mode for a group or all users.
Remote Access VPN Administration Guide R80.10 | 57
Office Mode
ipassignment.conf File
The $FWDIR/conf/ipassignment.conf file on the Security Gateway, is used to implement the
IP-per-user feature. It lets the administrator to assign specific addresses to specific users or
specific ranges to specific groups when they connect using Office Mode or L2TP clients.
#
# The third item is the IP address or addresses. In the case of a single
# address, it is specified in standard dotted decimal format.
# ranges can be specified either by the first and last IP address, or using
# a net specification. In either case you need to also specify the subnet
# mask length ('/24' means 255.255.255.0). With a range, this is the subnet
# mask. With a net it is both the subnet mask and it also determines the
# addresses in the range.
#
# After the third item come any of three keyword parameters. These are
# specifications for WINS (or NBNS) servers, for DNS servers and a DNS
# suffix. The parameters themselves are on the format 'keyword=(params)'
# where the params can be one address (such as "192.168.3.2"), several
# IP addresses (such as "192.168.3.2,192.168.3.3") or a string (only
# for the DNS suffix. The relevant keywords are "dns", "wins" and
# "suffix" and they are not case-sensitive.
# Inside the keyword parameters there must be no spaces or any other
# extra characters. These will cause the entire line to be ignored.
#
# The last item is the user name. This can be a common name if the
# user authenticates with some username/password method (like hybrid
# or MD5-Challenge) or a DN if the user authenticates with a
# certificate.
#
IP Pool Configuration
Make sure that all the internal routers are configured to route all the traffic destined to the
internal address space you had reserved to Office Mode users through the Security Gateway.
To specify which WINS and DNS servers Office Mode users can use:
Note - WINS and DNS servers should be set on the Security Management Server only when IP pool
is the selected method.
DHCP Configuration
To configure Office Mode with a DHCP server:
1. On your DHCP server's configuration, make sure that you have designated an IP address space
for Office Mode users (e.g., 10.130.56.0).
2. From the Objects Bar click New > Host.
3. Configure the settings for the name, IP address, and subnet mask.
4. Click OK and publish the changes.
To create a new network object for Office Mode on the DHCP server:
1. From the Objects Bar click New > Network.
The New Network window opens.
2. In Network Address enter the first address that is used (e.g. 10.130.56.0).
3. In Net Mask enter the subnet mask according to the amount of addresses that is used.
For example, the IP address 255.255.255.0 designates that all 254 IP addresses from
10.130.56.1 until 10.130.56.254 are set aside for remote host Office Mode addresses on the
DHCP server.
4. Click OK and publish the changes.
5. Install the Access Control policy.
6. Make sure that all the internal routers are configured to route all the traffic destined to the
internal address space you had reserved to Office Mode users through the Security Gateway.
For example, in the example above it is required to add routes to the class C sub network of
10.130.56.0 through the Security Gateway's IP address.
7. Make sure that the remote access clients are also configured to use Office Mode.
Desktop Security
In This Section:
The Need for Desktop Security ....................................................................................66
Desktop Security Solution ............................................................................................66
Desktop Security Considerations ................................................................................72
Letting Users Disable the Firewall ..............................................................................72
Avoiding Double Authentication for Policy Server ......................................................73
Item Description
1 Security Management Server
2 Firewall
3 Internet
5 Security Gateway
Implied Rules
In addition to the rules that you define, the Desktop Security Policy has implicit rules added to the
end of the inbound and outbound policies.
• The implicit outbound rule allows all connections that originate from the client to go out, if
they do not match previous blocking rules:
Any Destination, Any Service = Accept.
• The implicit inbound rule blocks all connections coming to the client that do not match
previous rules.
Any Source, Any Service = Block.
User Granularity
You can define different rules for remote users based on locations and user groups.
• Locations - Set rules to be implemented by physical location. For example, a user with a laptop
in the office building will have a less restrictive policy than when the same user on the same
laptop connects from a public wireless access point.
• User Groups - Set rules to be implemented for some users and not others. For example,
define restrictive rules for most users, but give system administrators more access privileges.
In addition, you can define rules to be enforced for all remote users, by not specifying a specific
user group, but rather all users.
Rules apply to user groups, not individual users. The client does not identify user groups, so it
must get group definitions from the gateway when it connects. The gateway resolves the user
groups of the authenticated user and sends this information to the client. The client enforces the
rules that apply to the user, based on the user groups.
Rules can also be applied to radius groups on the RADIUS server.
Default Policy
When a client is started, and before it connects to the Policy Server, it enforces a "default policy,"
which consists of the rules defined for all users in the last policy downloaded from the Policy
Server. This is because at this point, the client does not know to which groups the user belongs.
The default policy is enforced until the user downloads an updated policy (and the current user's
group information) from a Policy server.
If a client loses its connection to the Policy Server, it enforces the default policy until the
connection is restored and a Policy is downloaded.
Policy Server
A Policy Server is installed on a Security Gateway, when you enable it in the Gateway General
Properties > Network Security tab. It serves as a repository for the Desktop Security Policy. Client
machines download their Desktop Security Policies from the Policy Server.
When the client computer connects or re-authenticates to the site, it automatically checks the
Policy Server for updates and downloads them.
Location-Based Policies
Location-based policies add location awareness support for the Desktop Firewall using these
policies:
• Connected Policy - Enforced when:
• VPN is connected.
• VPN is disconnected and Location Awareness determines that the endpoint computer is on
an internal network. The Connected Policy is not enforced "as is" but modified according to
the feature's mode (the disconnected_in_house_fw_policy_mode property).
• Disconnected Policy - Enforced when the VPN is not connected and Location Awareness sees
that the endpoint computer is not on an internal network.
Location-Based Polices for Desktop Firewall are disabled by default.
Wireless Hotspots
Desktop Policy can support wireless hotspots.
A proxy might be required.
The information and procedures in this section are relevant for Endpoint Security VPN and Check
Point Mobile for Windows remote access clients.
• If the client passes all the SCV checks, the client is compliant.
• If the client fails one of the checks, it is not compliant.
Check Point's SCV solution comes with many predefined SCV checks for the operating system and
user's browser, and also allows OPSEC partners, such as Anti-Virus software manufacturers, to
add SCV checks for their own products.
Note - The SCV check described in this example is among the pre-defined SCV checks
included with Security Management Server. This check must be configured to test for
the specific process.
SCV Checks
Check Point SCV Checks
The default SCV checks (plug-ins) are part of the Endpoint Security VPN and Check Point Mobile
for Windows installation:
• OS Monitor - Verifies Operating System version, Service Pack, and Screen Saver configuration
(activation time, password protection, etc.).
• HotFix Monitor - Verifies that operating system security patches are installed, or not installed.
• Group Monitor - Verifies that the user logged into the operating system and is a member of
specified Domain User Groups.
• Process Monitor - Verifies that a process is running, or not running, on the client machine (for
example, that a file sharing application is not running, or that Anti-Virus is running).
• Browser Monitor - Verifies Internet Explorer version and configuration settings, such as Java
and ActiveX options.
• Registry Monitor - Verifies System Registry keys, values, and their contents.
• Anti-Virus Monitor - Verifies that an Anti-Virus is running and checks its version. Supported:
Norton, Trend Office Scan, and McAfee.
• SCVMonitor - Verifies the version of the SCV product, specifically the versions of the SCV DLLs
installed on the client's machine.
• HWMonitor - Verifies CPU type, family, and model.
• ScriptRun - Runs a specified executable on the client machine and checks the return code of
the executable. For example, a script can check if a certain file is present on the client
machine. It can perform additional configuration checks that you choose.
• Windows Security Monitor - Verifies that components monitored by Window Security Center
are installed and enforced (for example, check if there is Anti-Virus installed and running). You
can define which components you want to check.
Note - To enforce a specific SCV check, set the parameters of the check in the
SCVNames section, and include the name of the check in SCVPolicy.
User Privileges
To implement SCV effectively, it is suggested that you consider not to allow your remote users to
have administrative privileges on their desktops. Giving the users administrative privileges can
allow them to change system settings and cause SCV tests to fail. A desktop which fails an SCV
check is a potential security threat to the organization.
For example, as an administrator you may want to configure the user's browser not to allow him
to download Java applets from websites. A normal user will not be able to download these
applets, but a user with administrative privileges can override the browser's configuration. A
properly defined SCV policy can indicate that the browser's configuration had changed and trigger
a proper action on the Security Gateway side. However, if the user is allowed by the Security
Gateway to pass to the LAN - either by a wrong configuration of the SCV policy or lack of
enforcement of the user's SCV status on the Security Gateway side - then the user's desktop will
become a potential security risk to the LAN.
The SCV policy itself is protected. Users can not change the SCV policy definition files they receive,
even if they have administrative rights. The SCV policy files supplied to the client are signed before
arriving to the client and checked against their signature by the client. If the signatures do not
match, the SCV check fails.
Configuring SCV
Configuring SCV involves setting it up on the server, setting it up on the client, and configuring SCV
policy.
Note - In general, you can use the pre-defined checks (in the SCVNames section of
the local.scv file) as templates and list the modified checks in the SCV Policy section,
without writing new SCV subsets.
In the example above the set named SetName has two subsets: SubSetName1 and SubSetName2.
SubSetName1 has two conditions in it (ExpressionName1_1 and ExpressionName1_2).
SubSetName2 has one condition (ExpressionName2_1) and one subset (SubSetName2_1) in it.
SubSetName2_1 has one condition as well (ExpressionName2_1_1).
Expressions
Expressions are evaluated by checking the value of the expression (which corresponds to an SCV
check) and comparing it with the value defined for the expression (the value in the parentheses).
For example, in the browser monitor SCV check provided with the client, you can specify the
following expression:
:browser_major_version (5)
This expression checks whether the version of the Internet Explorer browser installed on the
client is 5.x. If the (major) version is 5, this expression is evaluated as true, otherwise it is
evaluated as false. The name of the expression (e.g. "browser_major_version") is determined by
the SCV application and is supplied by manufacturer.
If several expressions appear one after the other, they are logically ANDed, meaning that only if all
expressions are evaluated as true, then the value of all of them taken together is true. Otherwise
(if even one of the expressions is false), the value of all of them is false. For example:
:browser_major_version (5)
:browser_minor_version (0)
These expressions are ANDed. If the version of Internet Explorer is 5 AND the minor version is 0
(i.e. version 5.0), then the result is true, otherwise it is false. If the version of Internet Explorer is,
for example, 4.0, then the first expression is false and the second one is true, and the result of
both of them is false.
Sometimes, some expressions can influence the way in which others are evaluated. For example:
:browser_major_version (5)
:browser_minor_version (0)
:browser_version_operand (">=")
These expressions are ANDed, but the third expression influences the way that the first and
second ones are evaluated. In the example above, if the version of Internet Explorer is greater
than or equal to (">=") 5.0, then the result is true, otherwise it is false. If the version of Internet
Explorer is, for example, 4.5, then the result is false, if the version is 5.1 or higher than the result
is true.
Logical Sections
As mentioned earlier, subsequent expressions are automatically ANDed. However, sometimes it is
necessary to perform a logical OR between expressions, instead of logical AND. This is done by
using labels:
The begin_or (orX) label - this label starts a section containing several expressions. The end of
this section is marked by the end (orX) label (X should be replaced with a number which
differentiates between different sections OR sections). All of expressions inside this section are
logically ORed, producing a single value for the section. For example:
:begin_or(or1)
:browser_major_version (5)
:browser_major_version (6)
:end(or1)
This section checks whether the version of Internet Explorer is 5 OR 6 - if it is then the result is
true, otherwise it is false.
The begin_and (andX) label - this label is similar to the begin_or (orX) label, but the expressions
inside are evaluated and logically ANDed. The end of this section is marked by the end (andX) or
the end (orX) label. As mentioned earlier, simple subsequent expressions are automatically
ANDed. The reason that this label exists is to allow nested ANDed sections inside ORed sections.
For example, if an administrator considers old browsers as secure since they do not have a lot of
potentially unsafe components, and new browsers as secure, since they contain all the latest
security patches, he can define the following SCV rules:
:begin_or (or1)
:begin_and (and1)
:browser_major_version (5)
:browser_minor_version (0)
:browser_version_operand (">=")
:end (and1)
:begin_and (and2)
:browser_major_version (3)
:browser_minor_version (0)
:browser_version_operand ("<=")
:end (and2)
:end (or1)
In the example above, the first AND section checks whether the version of IE >= 5.0, the second
AND section checks whether the version of IE is <=3.0 and they are ORed. The entire example is
evaluated as true only if the version of IE is larger than (or equal to) 5.0 OR lower than (or equal to)
3.0.
For example:
:browser_major_version (5)
:browser_minor_version (0)
:browser_version_operand (">=")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("The version of your Internet Explorer browser is old.
For security reasons, users with old browsers are not allowed to access
the local area network of the organization. Please upgrade your Internet
Explorer to version 5.0 or higher. If you require assistance in upgrading
or additional information on the subject, please contact your network
administrator.")
:end (admin)
In this example, if the user's IE browser's version is lower than 5.0, an alert is sent to the Security
Management Server machine and a popup message is shown to the user with indication of the
problem.
SCVNames
In this section the administrator specifies the names and different checks for the SCV products.
Here is a general definition of an SCV check subset of SCVNames:
: (SCVCheckName1
:type (plugin)
:parameters (
:Expression1 (value)
:Expression2 (value)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Failure Message")
:end (admin)
)
)
The test section begins with the name of the SCV check (SCVCheckName1). SCVCheckName1
defines the name of the set of tests. It is defined in the SCV application and should be provided by
the SCV manufacturer. The type (plugin) expression specifies that the test is performed by an SCV
DLL plugin. The parameters subset is where the SCV rules and actions are defined. The type
(plugin) expression and the parameters subset should always be specified when defining a subset
of SCV checks (such as SCVCheckName1).
SCVPolicy
This section defines the names of the SCV checks that should be enforced (the names are part of
the SCV check names specified in SCVNames). This section's general structure is:
:SCVPolicy (
:(SCVCheckName1)
:(SCVCheckName2)
)
Note - there is a space between the colon (:) and the opening brace.
SCVGlobalParams
This section includes global parameters for SCV.
:SCVGlobalParams (
:enable_status_notifications (true)
:status_notifications_timeout (10)
:disconnect_when_not_verified (false)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (24)
:enforce_ip_forwarding (true)
:not_verified_script ("myscript.bat")
:not_verified_script_run_show (true)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
:block_scv_client_connections (false)
)
:os_version_operand_nt ("==")
:service_pack_major_version_number_nt (5)
:service_pack_minor_version_number_nt (0)
:service_pack_version_operand_nt (">=")
:major_os_version_number_2k (5)
:minor_os_version_number_2k (0)
:os_version_operand_2k ("==")
:service_pack_major_version_number_2k (0)
:service_pack_minor_version_number_2k (0)
:service_pack_version_operand_2k (">=")
:major_os_version_number_xp (5)
:minor_os_version_number_xp (1)
:os_version_operand_xp ("==")
:service_pack_major_version_number_xp (0)
:service_pack_minor_version_number_xp (0)
:service_pack_version_operand_xp (">=")
)
)
: (ProcessMonitor
:type (plugin)
:parameters (
:begin_or (or1)
:AntiVirus1.exe (true)
:AntiVirus2.exe (true)
:end (or1)
:IntrusionMonitor.exe (true)
:ShareMyFiles.exe (false)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please check that the following
processes are running:\n1. AntiVirus1.exe or AntiVirus2.exe\n2.
IntrusionMonitor.exe\n\nPlease check that the following process is not
running\n1. ShareMyFiles.exe")
:end (admin)
)
)
: (groupmonitor
:type (plugin)
:parameters (
:begin_or (or1)
:begin_and (1)
:"builtin\administrator" (false)
:"BUILTIN\Users" (true)
:end (1)
:begin_and (2)
:"builtin\administrator" (true)
:"BUILTIN\Users" (false)
:end (and2)
:end (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("You are using SecureClient with
a non-authorized user.\nMake sure you are logged on as an authorized user.")
:securely_configured_no_active_user (false)
:end (admin)
)
)
: (HotFixMonitor
:type (plugin)
:parameters (
:147222 (true)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please install security patch
Q147222.")
:end (admin)
)
)
: (AntiVirusMonitor
:type (plugin)
:parameters (
:type ("Norton")
:Signature (">=20020819")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please update your AntiVirus
(use the LiveUpdate option).")
:end (admin)
)
)
: (HWMonitor
:type (plugin)
:parameters (
:cputype ("GenuineIntel")
:cpumodel ("9")
:cpufamily ("6")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your machine must have
an\nIntel(R) Centrino(TM) processor installed.")
:end (admin)
)
)
: (ScriptRun
:type (plugin)
:parameters (
:exe ("VerifyScript.bat")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Verification script has
determined that your configuration does not meet policy requirements.")
:end (admin)
)
)
: (RegMonitor
:type (plugin)
:parameters (
:value
("Software\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\PatternVer>=414")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please update your AntiVirus
(use the LiveUpdate option).")
:end (admin)
)
)
: (SCVMonitor
:type (plugin)
:parameters (
:scv_version ("54014")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please upgrade your Secure
Configuration Verification products package.")
:end (admin)
)
)
: (sc_ver_scv
:type (plugin)
:parameters (
:Default_SecureClientBuildNumber (52032)
:Default_EnforceBuildOperand ("==")
:MismatchMessage ("Please upgrade your SecureClient.")
:EnforceBuild_9X_Operand (">=")
:SecureClient_9X_BuildNumber (52030)
:EnforceBuild_NT_Operand ("==")
:SecureClient_NT_BuildNumber (52032)
:EnforceBuild_2K_Operand (">=")
:SecureClient_2K_BuildNumber (52032)
:EnforceBuild_XP_Operand (">=")
:SecureClient_XP_BuildNumber (52032)
)
)
)
:SCVPolicy (
: (BrowserMonitor)
: (HWMonitor)
: (AntiVirusMonitor)
)
:SCVGlobalParams (
:enable_status_notifications (false)
:status_notifications_timeout (10)
:disconnect_when_not_verified (false)
:block_connections_on_unverified (false)
:scv_policy_timeout_hours (24)
:enforce_ip_forwarding (true)
:not_verified_script ("")
:not_verified_script_run_show (false)
:not_verified_script_run_admin (false)
:not_verified_script_run_always (false)
:not_verified_script_run_always (false)
:allow_non_scv_clients (false)
)
When using this file, it is important to maintain the same indentation/nesting format.
Common Attributes
Typically, an administrator might need to change only a few of the common parameters (SCV
checks) contained in the SCV policy file.
SCV Checks
Anti-Virus monitor
Parameters:
• Type (“av_type”)
Type of Anti-Virus. For example, “Norton”, “VirusScan”, “OfficeScan”, or “ZoneLabs”.
• Signature(x)
Required Virus definition file signature. The signature’s format depends on the Anti-Virus
type. For example, on Norton Anti-Virus the signature maybe be “>=20031020”. (The format
for Norton’s AV signature is “yyyymmdd”).
For TrendMicro Officescan, the signature may be “<650”
For McAfee’s VirusScan, use signature (“>404291”) for a signature greater than 4.0.4291
For Zone Labs, use signature (“>X.Y.Z”) where X = Major Version, Y = Minor Version, and Z =
Build Number of the .dat signature file.
AntiVirusMonitor does not support “begin_or” and the “begin_and” syntax (see
"Expressions and Labels with Special Meanings" on page 81).
BrowserMonitor
Parameters:
• browser_major_version (5)
Major version number of Internet Explorer. If this field does not exist in the local.scv file, or
if this value is 0, the IE’S version will not be checked as part of the BrowserMonitor check.
• browser_minor_version (0)
Internet Explorer’s minor version number.
• browser_version_operand (“>=”)
The operator used for checking the Internet Explorer’s version number.
• browser_version_mismatchmessage (“Please upgrade your Internet Browser.”)
Message to be displayed in case of a non-verified configuration for the Internet Explorer’s
version.
• intranet_download_signed_activex (enable)
The maximum permission level that IE should have for downloading signed ActiveX
controls from within the local Intranet.
• intranet_run_activex (enable)
The maximum permission level that IE should have for running signed ActiveX controls
from within the local Intranet.
• intranet_download_files (enable)
The maximum permission level that IE should have for downloading files from within the
local Intranet.
intranet_java_permissions (low)
The maximum security level that IE Explorer should have for running java applets from
within the local Intranet.
(low) means a low security level.
• trusted_download_signed_activex (enable)
The maximum permission level that IE should have for downloading signed ActiveX
controls from trusted zones.
• trusted_run_activex (enable)
The maximum permission level that IE should have for running signed ActiveX controls
from trusted zones.
• trusted_download_files (enable)
The maximum permission level that IE should have for downloading files from trusted
zones.
• trusted_java_permissions (medium)
The maximum security level that IE should have for running java applets from trusted
zones.
• internet_download_signed_activex (disable)
The maximum permission level that IE should have for downloading signed ActiveX
controls from the Internet.
• Internet_run_activex (disable)
The maximum permission level that IE should have for running signed ActiveX controls
from the Internet.
• internet_download_files (disable)
The maximum permission level that IE should have for downloading files from the Internet.
• internet_java_permissions (disable)
The maximum security level that IE should have for running java applets from the Internet.
• restricted_download_signed_activex (disable)
The maximum permission level that IE should have for downloading signed ActiveX
controls from restricted zones.
• restricted_run_activex (disable)
The maximum permission level that IE should have for running signed ActiveX controls
from restricted zones.
• restricted_download_files (disable)
The maximum permission level that IE should have for downloading files from restricted
zones.
• restricted_java_permissions (disable)
The maximum security level that IE should have for running java applets from restricted
zones.
• send_log (type)
Determines whether to send a log to Security Management Server for specifying that the
client is not “SCVed.”
This SCV check does not support the “begin admin/end admin” parameter section.
The (type) section should be replaced by (log) or (alert)
• internet_options_mismach_message (“Your Internet browser settings do not meet
policy requirements”)
Mismatch message for the Internet Explorer settings.
BrowserMonitor can be configured to check only Internet Explorer’s version, or only the
browser’s settings for a certain zone. For example, if none of the following parameters appear:
restricted_download_signed_activex
restricted_run_activex
restricted_download_files
restricted_java_permissions
then BrowserMonitor will not check the restricted zones’ security settings. In similar fashion,
if the parameter “browser_major_version” does not appear or is equal to zero, then IE’s
version number is not checked.
BrowserMonitor does not support the “begin_or” and the “begin_and” syntax, and does not
support the admin parameters (see "Expressions and Labels with Special Meanings" on page
81).
For the script for checking Internet Explorer Service Pack, see Script for Internet Explorer
Service Pack below.
Groupmonitor
Parameters
• “builtin\administrator” (false)
A name of a user group. The user has to belong to this group in order for the machine
configuration to be verified.
• securely_configured_no_active_user (true)
Specifies whether the machine’s configuration may be considered verified when no user is
logged on. The default value is false.
HotFixMonitor
Parameters
• HotFix_Number (true)
A number of a system Hotfix to be checked. In order for the machine to be verified, the
Hotfix should be installed, for example: “823980(true)” verifies that Microsoft’s RPC patch
is installed on the operating system.
• HotFix_Name (true)
The full name of a system HotFix to be checked. In order for the machine to be verified, the
HotFix should be installed, for example: “KB823980(true)” verifies that Microsoft’s RPC
patch is installed on the operating system.
Not all the mentioned fields for HotFixMonitor need to appear in the local.scv file. Some of
them may not appear at all, or may appear more than once. These fields may also be ORed and
ANDed. In this way, multiple Hotfixes can be checked, and the results ORed or ANDed for extra
flexibility.
HWMonitor
Parameters
• cputype (“GenuineIntel”)
The CPU type as described in the vendor ID string. The string has to be exactly 12
characters long. For example: “GenuineIntel”, or “AuthenticAMD”, or “aaa bbb ccc ” where
spaces count as a character.
• cpufamily(6)
The CPU family.
• cpumodel(9)
The CPU model.
HWMonitor does not support the “begin_or” and the “begin_and” syntax (see "Expressions and
Labels with Special Meanings" on page 81).
OsMonitor
Parameters
• enforce_screen_saver_minutes_to_activate (3)
Time in minutes for the screen saver to activate. If the screen saver does not activate within
this time period, then the client is not considered verified. In addition, the screen saver
must be password protected.
• screen_saver_mismatchmessage (“Your screen saver settings do not meet policy
requirements”)
Mismatch message for the screen saver check. The screen saver will not be checked if the
property “enforce_screen_saver_minutes_to_activate” does not appear, or if the time is set
to zero.
• send_log (type)
Determines whether to send a log to Security Management Server for specifying that the
client is not “SCVed.”
This SCV check does not support the “begin admin/end admin” parameter section.
The (type) section should be replaced by (log) or (alert)
• major_os_version_number_9x (4)
Specifies the major version required for 9x operating systems to be verified.
• minor_os_version_number_9x (10)
Specifies the minor version required for 9x operating systems to be verified.
• os_version_operand_9x (“>=”)
Operator for checking the operating system’s version on 9x.
• service_pack_major_version_number_9x (0)
Specifies the major service pack’s version required for 9x operating system’s to be verified.
• service_pack_minor_version_number_9x (0)
Specifies the minor service pack’s version required for 9x operating systems to be verified.
• service_pack_version_operand_9x (“>=”)
Operator for checking the operating system’s service pack on 9x.
• major_os_version_number_nt (4)
Specifies the major version required for Windows NT operating systems to be verified.
• minor_os_version_number_nt (10)
Specifies the minor version required for Windows NT operating systems to be verified.
• os_version_operand_nt (“>=”)
Operator for checking the operating system’s version on Windows NT.
• service_pack_major_version_number_nt (0)
Major service pack version required for Windows NT operating systems to be verified
• service_pack_minor_version_number_nt (0)
Minor service pack version required for Windows NT operating systems to be verified
• service_pack_version_operand_nt (“>=”)
Operator for checking the operating system’s service pack on Windows NT
• major_os_version_number_2k (4)
Specifies the major version required for Windows 2000 operating systems to be verified.
• minor_os_version_number_2k (10)
Specifies the minor version required for Windows 2000 operating systems to be verified.
• os_version_operand_2k (“>=”)
Operator for checking the operating system’s version on Windows 2000
• service_pack_major_version_number_2k (0)
Specifies major service pack version required for Windows 2000 operating systems to be
verified.
• service_pack_minor_version_number_2k (0)
Specifies minor service pack version required for Windows 2000 operating systems to be
verified.
• service_pack_version_operand_2k (“>=”)
Operator for checking the operating system’s service pack on Windows 2000
• major_os_version_number_xp (4)
Specifies the major version required for Windows XP operating systems to be verified.
• minor_os_version_number_xp (10)
Specifies the minor version required for Windows XP operating systems to be verified.
• os_version_operand_xp (“>=”)
Operator for checking the operating system’s service pack on Windows XP
• service_pack_major_version_number_xp (0)
Specifies the major service pack version required for Windows XP operating systems to be
verified.
• service_pack_minor_version_number_xp (0)
Specifies the minor service pack version required for Windows XP operating systems to be
verified.
• service_pack_version_operand_xp (“>=”)
Operator for checking the operating system’s service pack on Windows XP.
ProcessMonitor
Parameters
• ProcessName.exe (true)
A process the administrator would like to check. If the value is true, the process needs to
be running for the machine to be verified. If the value is false, the process should not be
running for the machine to be verified.
ProcessMonitor can also be used to check for the existence/exclusion of more than one
process. The fields may be ANDed or ORed for flexibility.
RegMonitor
Parameters
• PredefinedKeys (HIVE)
Specify the registry hive from one of the following choices:
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
If one of the hives is not specified, then HKEY_LOCAL_MACHINE is used.
To configure a check for HKEY_CLASSES_ROOT, use
HKEY_LOCAL_MACHINE\Software\Classes and
HKEY_CURRENT_USER\Software\Classes.
• value (registry_value_path)
The path of a registry DWORD, under the hive specified by the predefined keys will be
checked. The value should be an operator followed by a number, e.g.
“Software\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\PatternVe
r>=414”
The syntax for the value parameter is:
:value (“pathOPval”)
For example:
:value (“Software\...\PaternVer>=414”)
• string (registry_string_path)
The path of a registry string, under the hive specified by the predefined keys will be
checked. The string’s value is compared to the given value, in the way that DWORDs are
compared.
• keyexist (registry_key_path)
The path of a registry key to check if the key exists, under the hive specified by the
predefined keys will be checked. The key must exist if the machine is to be verified.
• keynexist (registry_key_path)
The path of a registry key to be checked for exclusion, under the hive specified by the
predefined keys will be checked. For the machine to be verified, the key should not exist.
• allow_no_user (default: true)
This parameter is valid only when a user is logged in to the machine.
Since SC services and SCV checks run also when no user is logged on, a decision should be
taken if the check passed or failed.
If no user is logged on to the machine, and a running RegMonitor check is configured to
monitor HKEY_CURRENT_USER, the behavior is according to the flag allow_no_user.
If allow_no_user is true, the check will PASS.
If allow_no_user is false, the check will FAIL.
This attribute is not, by default, included in the local.scv file. If the attribute does not exist
in the file, then the default setting used is also true.
Configuring this attribute is done via local.scv. For example:
: (RegMonitor
:type (plugin)
:parameters (
:keyexist ("HKEY_CURRENT_USER\Software\CheckPoint")
:allow_no_user (true)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("mismatch message ")
:end (admin)
)
)
Not all the mentioned fields for RegMonitor need to appear in the local.scv file. Some of them
may not appear at all, or may appear more than once. These fields may also be ORed and
ANDed. In this way, multiple registry entries can be checked, and the results ORed or ANDed
for extra flexibility.
Script for Internet Explorer Service Pack
RegMonitor can be configured to check the version and service pack of Internet Explorer. The
script looks as follows:
: (RegMonitor
:type (plugin)
:parameters (
:begin_or (or1)
:keynexist ("Software\Microsoft\Internet
Explorer")
:string ("Software\Microsoft\Internet
Explorer\Version>=6")
:begin_and (and1)
:string
("Software\Microsoft\Internet Explorer\Version>=5.5")
:string ("Software\Microsoft\Windows\CurrentVersion\Internet
Settings\MinorVersion>=SP2")
:string
("Software\Microsoft\Windows\CurrentVersion\Internet
Settings\MinorVersion<=SP9")
:end_and (and1)
:begin_and (and2)
:string
("Software\Microsoft\Internet Explorer\Version>=5.5")
:string
("Software\Microsoft\Windows\CurrentVersion\Internet
Settings\MinorVersion>=;SP2")
:string
("Software\Microsoft\Windows\CurrentVersion\Internet
Settings\MinorVersion<=;SP9")
:end_and (and2)
:end_or (or1)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Your IE must be at least
version 5.5 with SP2.")
:end (admin)
)
)
SCVMonitor
Parameters
• scv_version(“>=541000076”)
Represents the SCV product’s build number. This is the version of the DLLs in charge of the
SCV checks. This number differs from the build number of the client. SCV products can be
upgraded, and maybe updated without updating the client.
The string is an operator followed by the DLL’s version number in the format “vvshhhbbb”. For
example, if you want the DLL version to be at least 54.1.0.220, the syntax should be:
scv_version (“>=541000220”)
SCVMonitor does not support the “begin_or” and the “begin_and” syntax (see
"Expressions and Labels with Special Meanings" on page 81).
ScriptRun
Parameters
• exe (“VerifyScript.bat”)
Runs an executable. Supply the name of the executable, and the full path to the executable.
• run_as_admin (“no”)
Determines whether the verification script is run with administrator privileges. The default
is “no”. The only other value is “yes”.
• run_timeout (10)
Time (in seconds) to wait for the executable to finish. If the executable does not finish
within the set time, the process is considered as a failure, and the machine categorized as
“not verified”. The default value is zero, which is the same as “no timeout”.
ScriptRun does not support the “begin_or” and the “begin_and” syntax.
user_policy_scv
Parameters
• logged_on_to_policy_server (true/false)
Specifies whether the user has to be logged on to a Policy Server to be considered SCVed.
• policy_refresh_rate (“168”)
Time, in hours, for which the desktop policy remains valid. After 168 hours the desktop
policy is not considered valid, and the user is no longer SCVed. If this parameter is not
specified, the policy is not checked for freshness.
• mismatchmessage (“Place a message here”)
The message displayed when the user_policy_scv check fails.
• dont_enforce_while_connecting
If this parameter is present, the user is considered SCVed while connecting to the Security
Gateway. The user is considered SCVed only for the duration of the connect process.
SCVGlobalParams
Parameters
For all boolean parameters (true or false), the values should not be enclosed in quotation
marks.
• enable_status_notifications (true/false)
If “true”, the client displays a balloon window when the Desktop is not SCVed. On windows
9x and NT, where balloons are not supported, popups appear.
• status_notifications_timeout ()
The number of seconds the balloon window (see previous parameter) will be displayed.
• disconnect_when_not_verified (true/false)
If “true”, the Remote Access client will disconnect from the site when the Desktop is not
SCVed.
• block_connections_on_unverified (true/false)
If “true”, the Remote Access client will drop all open connections when the Desktop is not
SCVed.
Note - This parameter, if true, blocks all connections to the machine, not just those
connections to and from the VPN site.
• scv_policy_timeout_hours ()
The period (in hours) during which the SCV policy is considered valid since the last logon to
the Policy Server. When this timeout is about to expire the Remote Access client will
attempt to logon to the Policy Server to get a new SCV policy.
Possible values are between 1 and 504 hours(21 days). The default value is 168 hours (one
week). If you set the value to 0, the SCV policy never expires (no time-out).
• enforce_ip_forwarding (true/false)
If “true” the IP Forwarding between network interface cards on the user’s desktop must be
disabled for the user to be considered SCVed.
• ip_forwarding_mismatchmessage (“Message string placed here”)
The value is a string displayed when ip forwarding is enabled. For example:
ip_forwarding_mismatchmessage (“Please....etc”)
This is relevant only if ip forwarding is part of the SCV checks, that is, if the parameter is
defined as True.
• not_verified_script (“script_name.bat”)
The name of executable that will be run when the Desktop is not SCVed. The next three
parameters provide more options related to the running of the executable.
• not_verified_script_run_show (true/false)
If “true”, the executable’s progress will be displayed in an onscreen window.
• not_verified_script_run_admin (true/false)
If “true”, the executable will run with administrator privileges.
• not_verified_script_run_always (true/false)
If “true”, the executable will run every time the Desktop is not SCVed. If “false”, it will run
once per the Remote Access client session.
• :allow_non_scv_clients (true/false)
If “true”, the client will send a verified state to the enforcing Security Gateway even if the
OS does not support SCV.
Item Description
1 Internal hosts
2 Security Gateway
3 Internet
The process of the VPN establishment is transparent to the user, and works as follows:
1. A user at an IPsec / L2TP client initiates a connection to a Security Gateway.
2. The IPsec / L2TP client starts an IKE (Internet Key Exchange) negotiation with the peer
Security Gateway. The identities of the remote client machine and the Security Gateway may be
authenticated one of these ways:
• Through exchange of certificates
• Through pre-shared keys
Note - this option is less secure, since pre-shared key is shared among all L2TP clients.
Only authenticated machine can establish a connection.
3. Both peers exchange encryption keys, and the IKE negotiation ends.
4. Encryption is now established between the client and the Security Gateway. All connections
between the client and the Security Gateway are encrypted inside this VPN tunnel, using the
IPsec standard.
5. The Client starts a short L2TP negotiation, at the end of which the client can pass to the
Security Gateway L2TP frames that are IPsec encrypted and encapsulated.
6. The Security Gateway now authenticates the user at the Microsoft IPsec / L2TP client. This
authentication is in addition to the client machine authentication in step 3. This identification
can happen with these methods.
• A Certificate
• An MD5 challenge, whereby the user is asked to enter a username and a password
(pre-shared secret)
• A username and a password
7. The Security Gateway allocates to the remote client an Office Mode IP address to make the
client routable to the internal network. The address can be allocated from all of the Office
Mode methods.
8. The Microsoft IPsec / L2TP client connects to the Security Gateway, and can browse and
connect to locations in the internal network.
Note - IKE Security Association created for L2TP cannot be used for regular IPsec
traffic.
Authentication of Users
There are two methods used to authenticate an L2TP connection:
• Using Legacy Authentication
• Using certificates
Authentication Methods
L2TP clients can use any of the following Authentication schemes to establish a connection:
• Check Point password
• OS password
• RADIUS
• LDAP
• TACACS
Using a username and password verifies that a user is who they claim to be. All users must be
part of the Remote Access community and be configured for Office Mode.
Certificates
During the process of establishing the L2TP connection, two sets of authentication are performed.
First, the client machine and the Security Gateway authenticate each other's identity using
certificates. Then, the user at the client machine and the Security Gateway authenticate each
other using either certificates or a pre-shared secret.
Remote Access VPN Administration Guide R80.10 | 101
Layer Two Tunneling Protocol (L2TP) Clients
The Microsoft IPsec / L2TP client keeps separate certificates for IKE authentication of the client
machine, and for user authentication.
On the Security Gateway, if certificates are used for user authentication, then the Security Gateway
can use the same certificate or different certificates for user authentication and for the IKE
authentication.
Certificates for both clients and users can be issued by the same CA or a different CA. The users
and the client machines are defined separately as users in SmartConsole.
Certificates can be issued by:
• The Internal Certificate Authority (ICA) on the Security Management Server
• OPSEC certified Certificate Authority
3. On the client machine, place the user certificate in the User Certificate Store, and the client
machine certificate in the Machine Certificate Store.
4. On the client machine, set up the Microsoft IPsec / L2TP client connection profile.
8. In the Select Computer window select the computer (whether local or not) where the new
certificates have been saved.
9. Click Finish to complete the process and click Close to close the Add/Remove Snap- in
window.
10. The MMC Console window is displayed, where a new certificates branch has been added to the
Console root.
11. Right-click on the Personal entry of the Certificates branch and select All Tasks > Import. A
Certificate Import Wizard is displayed.
12. In the Certificate Import Wizard, browse to the location of the certificate.
13. Enter the certificate file password.
14. In the Certificate Store window make sure that the certificate store is selected automatically
based on the certificate type.
15. Select Finish to complete the Import operation.
16. Go to the Certificate subdirectory (under Personal). There is one certificate with the user
name and a second certificate with the management name.
17. Select the management certificate and drag it to the Certificates list under the Trusted Root
Certificate subdirectory.
18. Exit from the MMC console. You do not have to save it. You can see the changes in Internet
Explorer Properties.
Using the MMC, the certificate can be seen in the certificate store for the "Local Computer".
7. Click Create.
8. Click Close.
To Configure the Microsoft IPsec/L2TP Clients so they do not Check for the
"Server Authentication" Purpose
The following procedure tells the Microsoft IPsec/L2TP Client not to require the "Server
Authentication" purpose on the Security Gateway certificate.
1. In the client machine, right-click on the My Network Places icon on the desktop and select
Properties.
2. In the Network and Dial-up Connections window, double click the L2TP connection profile.
3. Click Properties, and select the Security tab.
4. Select Advanced (custom settings), and click Settings.
5. In the Advanced Security Settings window, under Logon security, select Use Extensible
Authentication Protocol (EAP), and click Properties.
6. In the Smart Card or other Certificate Properties window, uncheck Validate server
certificate, and click OK.
Note - The client validates all aspects of the Security Gateway certificate, during IKE
authentication, other than the "Server Authentication" purpose.
Item Description
1 Host machines
2 Security Gateway A
3 Internet
4 Security Gateway B
5 Host machines
7 Security Gateway C
8 Host machines
In the figure above, one of the host machines behind Security Gateway A needs to connect with a
host machine behind Security Gateway B. For either technical or policy reasons, Security Gateway
A cannot open a VPN tunnel with Security Gateway B. However, both Security Gateways A and B
can open VPN tunnels with Security Gateway C, so the connection is routed through Security
Gateway C.
As well as providing enhanced connectivity and security, VPN routing can ease network
management by hiding a complex network of Security Gateways behind a single Hub.
Item Description
1 Security Gateway 1
2 Internet
3 Remote client
4 Security Gateway 2
5 Server
6 Hosts
Suppose the same remote client needs to access an HTTP server on the Internet. The same
company policy regarding security still applies.
Item Description
1 HTTP Server
2 Internet
3 Remote client
4 Security Gateway
6 Hosts
The remote client's traffic is directed to the Security Gateway where it is directed to the UFP (URL
Filtering Protocol) server to check the validity of the URL and packet content, since the Security
Gateway does not possess URL-checking functionality. The packets are then forwarded to the
HTTP server on the Internet.
NATing the address of the remote client behind the Security Gateway prevents the HTTP server on
the Internet from replying directly to the client. If the remote client's address is not NATed, the
remote client will not accept the clear reply from the HTTP server.
Item Description
1 Security Gateway
2 Internet
Item Description
1 Remote Client 1
2 Remote Client 2
3 Internet
4 Security Gateway A
5 Security Gateway B
In the figure above, remote client 1 is configured for Hub mode with Security Gateway B. Remote
client 2 is configured for Hub mode with Security Gateway A. For the connection to be routed
correctly:
• Office mode must be enabled.
• VPN configuration files on both Security Gateways must include the Office Mode address range
used by the other. The VPN configuration file on Security Gateway A directs all traffic aimed at
an Office Mode IP address of Security Gateway B towards Security Gateway B. A connection
leaves Remote Client1 and is sent to Security Gateway B. From gateway B the connection is
passed to Security Gateway A. Security Gateway A once more redirects the traffic towards
Remote Client 2. The reply from Remote Client2 follows the same path but in reverse.
• Office mode addresses used by both Security Gateways must be non-overlapping.
9. Click OK.
10. Create the access control rule in the Access Control Policy.
VPN routing traffic is handled in the Security Policy Rule Base as a single connection, matched
to one rule only.
11. Click OK and publish the changes.
12. Configure the profile on the remote client to route all communication through the designated
Security Gateway.
To configure VPN routing for remote access clients with the VPN domain:
1. Create a network group, click New > Network Group.
2. Add these network groups:
• VPN domain
• Office Mode
3. Click OK and publish the changes.
4. Click Gateways & Servers and double-click the Security Gateway.
The gateway window opens and shows the General Properties page.
5. From the navigation tree, click Network Management > VPN Domain.
6. Click Manually defined.
7. Select the new network group.
8. Click OK and publish the changes.
The remote clients must connect to the site and perform a site update before they can
communicate with each other.
Item Description
1 Hub 1
2 Internet
3 Remote Client 1
4 Remote Client 2
5 Hub 2
Remote Client 1 works in Hub mode with Hub 1. Remote Client 2 works in Hub mode with the Hub
2. In order for VPN routing to be performed correctly:
• Remote clients must be working in Office mode
• Office mode address range of each Security Gateway must be included in the vpn_route.conf
file installed on the other Security Gateway.
Destination Next hop router interface Install On
Hub1_OfficeMode_range Hub1 Hub2
Connections are not allowed between remote users and hosts within the "MyIntranet" VPN
community. All other connections that start from the Remote Access Community, from inside or
outside of the VPN communities, are allowed.
LMHOSTS
Enter the relevant information (see below) the $FWDIR/conf/dnsinfo.C file on the Security
Gateway, and install the policy.
(
:LMdata(
:(
:ipaddr (<IP address>)
:name (<host name>)
:domain (<domain name>)
)
:(
:ipaddr (<IP address>)
:name (<host name>)
:domain (<domain name>)
)
)
)
When the topology is updated, the name resolution data will be automatically transferred to the
dnsinfo entry of the userc.C file and then to its LMHOSTS file.
The Solution
Multiple authentication can be reduced by:
• Increasing the re-authentication interval
• Caching the user's password
Re-Authentication Interval
For Connect Mode, the countdown to the timeout begins from the time that the Client is
connected.
Password Caching
When the timeout expires, the user will be asked to authenticate again. If password-caching is
enabled, clients will supply the cached password automatically and the authentication will take
place transparently to the user. In other words, the user will not be aware that re-authentication
has taken place.
Password caching is possible only for multiple-use passwords. If the user's authentication
scheme implement one-time passwords (for example, SecurID), then passwords cannot be
cached, and the user will be asked to re-authenticate when the authentication time-out expires.
For these schemes, this feature should not be implemented.
The Solution
When the Secure Domain Logon (SDL) feature is enabled, then after the user enters the OS user
name and password (but before the connection to the domain controller is started), the User
Authentication window is displayed. When the user enters the client credentials, the connection to
the domain controller takes place over an encrypted tunnel.
Cached Information
When the Remote Access client computer successfully logs on to a domain controller, the user's
profile is saved in cache. This cached information will be used if subsequent logons to the domain
controller fail, for whatever reason.
Port Description
UDP port 500 Always, even if using IKE over TCP
UDP port 2746 Only if using MEP, interface resolving or interface High
Availability
UDP port 259 Only if using MEP, interface resolving or interface High
Availability
Solution:
Best practice is:
• For Endpoint Security VPN and Check Point Mobile for Windows, use Office mode.
• For SecuRemote, use the Split DNS (on page 121) feature.
Split DNS
Split DNS uses a SecuRemote DNS Server, an object that represents an internal DNS server that
you can configure to resolve internal names with unregistered, (RFC 1981-style) IP addresses. It is
best to encrypt the DNS resolution of these internal names.
After you configure a SecuRemote DNS server to resolve traffic from a specified domain and
install policy, it takes effect. If users try to access that domain while connected to the VPN, the
request is resolved by the SecuRemote DNS server. The internal DNS server can only work when
users are connected to the VPN.
You can configure multiple SecuRemote DNS servers for different domains.
3. In the Domains tab, click Add to add the domains that will be resolved by the server.
The Domain window opens,
4. Enter the Domain Suffix for the domain that the SecuRemote DNS server will resolve, for
example, checkpoint.com.
5. In the Domain Match Case section, select the maximum number of labels that can be in the
URL before the suffix. URLs with more labels than the maximum will not be sent to that DNS.
• Match only *.suffix - Only requests with 1 label are sent to the SecuRemote DNS. For
example, "www.checkpoint.com" and "whatever.checkpoint.com" but not
"www.internal.checkpoint.com."
• Match up to x labels preceding the suffix- Select the maximum number of labels. For
example, if you select 3, then the SecuRemote DNS Server will be used to resolve
"www.checkpoint.com" and "www.internal.checkpoint.com" but not
"www.internal.inside.checkpoint.com".
6. Click OK.
7. Click OK.
8. Install the policy.
Note - In a MEP Security Gateway environment, the remote clients supported are the
Check Point Remote Access Clients.
MEP Methods
There are three methods used to choose which Security Gateway is used as the entry point for a
connection:
• First to Respond - The first Security Gateway to reply to the probing mechanism is chosen.
• Primary/Backup - The client attempts to connect to the Primary Security Gateway first. If the
Primary Security Gateway does not reply, the client attempts to connect to the Backup Security
Gateway. If the Backup Security Gateway does not reply, there are no further attempts to
connect.
• Random Selection - In a Load Sharing MEP environment, the client randomly selects a
Security Gateway and assigns the Security Gateway priority. The remote peer stays with this
chosen Security Gateway for all subsequent connections to host machines within the VPN
domain. Load distribution takes place on the level of "different clients", rather than the level of
"endpoints in a connection".
Remote Access VPN Administration Guide R80.10 | 123
Multiple Entry Point for Remote Access VPNs
Item Description
1 Remote Access Client
2 Internet
5 Security Gateway C
6 VPN Domain
In this scenario:
• The VPN Domain is behind three Security Gateways: A, B and C.
• Security Gateway A is the Primary Security Gateway.
• Security Gateway B is the Backup Security Gateway when Security Gateway A is not available.
• If Security Gateway A and Security Gateway B becomes unavailable, the remote host will not
attempt to connect to Security Gateway C.
• In a Primary-Backup configuration, the connection will failover to the backup Security Gateway
should the primary Security Gateway become unavailable. Even if the Primary Security
Gateway is restored, the connection does not return to the primary Security Gateway.
• All the gateways in the MEP:
Must support visitor mode.
The user must be working with a Visitor Mode enabled profile.
IP Pool NAT
IP pool NAT is a type of NAT in which source IP addresses from remote VPN domains are mapped
to an IP address drawing from a pool of registered IP addresses. In order to maintain symmetric
sessions using MEP Security Gateways, the MEP Security Gateway performs NAT using a range of
IP addresses dedicated to that specific Security Gateway and should be routed within the internal
network to the originating Security Gateway. When the returning packets reach the Security
Gateway, the Security Gateway restores the original source IP address and forwards the packets
to the source.
Note - When Office Mode is enabled, there is no need to configure IP Pool NAT
since Office Mode dynamically assigns IP's to remote hosts.
Configuring MEP
To configure MEP, decide on the MEP selection method:
• First to Respond
• Primary/Backup
• Load Distribution
First to Respond
When more than one Security Gateway leads to the same (overlapping) VPN domain, they are
considered MEP by the remote peer, and the first Security Gateway to respond to the probing
protocol is chosen. To configure first to respond, define that part of the network that is shared by
all the Security Gateways into a single group and assign that group as the VPN domain.
Primary-Backup
To configure the Primary-Backup selection method:
1. From Menu, click Global Properties.
2. From the navigation tree, click VPN > Advanced.
3. Click Enable Backup Gateway.
4. Click OK.
5. Publish the changes.
8. Configure IP pool NAT to handle return packets (see "Configuring Return Packets" on page
127).
Load Distribution
When you enable this option, the load distribution is dynamic and the remote client randomly
selects a Security Gateway.
Disabling MEP
Disabling MEP is configured by setting the following command to true in DBedit, the Check Point
database tool:
• desktop_disable_mep
• When MEP is disabled, MEP RDP probing and fail over will not be performed. As a result,
remote hosts will connect to the Security Gateway defined without considering the MEP
configuration.
Secondary Connect
In This Section:
Secondary Connect .....................................................................................................129
Configuring Secondary Connect ................................................................................129
Secondary Connect for Users ....................................................................................130
Secondary Connect
Secondary Connect gives access to multiple VPN gateways at the same time, to transparently
connect users to distributed resources. Users log in once to a selected site and get transparent
access to resources on different gateways. Tunnels are created dynamically as needed, based on
the destination of the traffic.
For example: Your organization has Remote Access gateways in New York and Japan. You log in to
a VPN site that connects you to the New York gateway. When you try to access a resource that is
behind the Japan gateway, a VPN tunnel is created and you can access the resource behind the
Japan gateway.
Traffic flows directly from the user to the gateway, without site-to-site communication. VPN
tunnels and routing parameters are automatically taken from the network topology and
destination server IP address.
In an environment with Secondary Connect, the gateway that the client first authenticates to is the
Primary gateway. A gateway that the client connects to through a secondary VPN, is a Secondary
gateway.
Secondary Connect is compatible with legacy SecureClient settings.
For gateway requirements for Secondary Connect, see sk65312
http://supportcontent.checkpoint.com/solutions?id=sk65312.
Where CTX00001 represents the VS number: CTX00001 for VS1, CTX00002 for VS2, and so on.
If their credentials are not cached, they might be prompted to authenticate again for a secondary
connection.
Note - If the Mobile Access blade is active on a Security Gateway, SSL Network
Extender works through Mobile Access and not IPsec VPN. In this case, SSL
Network Extender must be configured through the Mobile Access blade. If you
already had SSL Network Extender configured on an IPsec VPN Security Gateway
and then you enable the Mobile Access blade, you must reconfigure SSL Network
Extender for the Mobile Access blade.
Office Mode
Office Mode is a Check Point remote access VPN solution feature. It enables a Security Gateway to
assign a remote client an IP address. This IP address is used only internally for secure
encapsulated communication with the home network, and therefore is not visible in the public
network. The assignment takes place once the user connects and authenticates. The assignment
lease is renewed as long as the user is connected. The address may be taken either from a
general IP address pool, or from an IP address pool specified per user group, using a
configuration file.
Visitor Mode
Visitor Mode is a Check Point remote access VPN solution feature. It enables tunneling of all
client-to-Security Gateway communication through a regular TCP connection on port 443. Visitor
mode is designed as a solution for firewalls and Proxy servers that are configured to block IPsec
connectivity.
Hacker tools Tools that facilitate a hacker's access to a computer and/or the
extraction of data from that computer.
Keystroke loggers Programs that record user input activity (that is, mouse or
keyboard use) with or without the user's consent. Some keystroke
loggers transmit the recorded information to third parties.
Browser plug-ins Programs that change settings in the user's browser or adds
functionality to the browser. Some browser plug-ins change the
default search page to a pay-per-search site, change the user's
home page, or transmit the browser history to a third party.
3rd party cookies Cookies that are used to deliver information about the user's
Internet activity to marketers.
Pre-Requisites
The SSL Network Extender pre-requisites are listed below:
Client-side Pre-Requisites
The SSL Network Extender client-side pre-requisites for remote clients are:
• A supported Windows or Mac operating system.
• Allow ActiveX or Java Applet.
• A supported browser
• First time client installation, uninstallation, and upgrade require administrator privileges on
the client computer.
Server-Side Pre-Requisites
The SSL Network Extender server-side pre-requisites are listed below:
• The SSL Network Extender is a server side component, which is part of a specific Enforcement
Module, with which the SSL Network Extender is associated.
• The specific Security Gateway must be configured as a member of the Remote Access
Community, and configured to work with Visitor Mode. This will not interfere with Remote
Access client functionality, but will allow Remote Access client users to utilize Visitor Mode.
• The same access rules are configured for both Remote Access client and SSL Network
Extender users.
Features
The SSL Network Extender features are listed below:
• Easy installation and deployment.
• Intuitive and easy interface for configuration and use.
• The SSL Network Extender mechanism is based on Visitor Mode and Office Mode.
• Automatic proxy detection is implemented.
• Small size client: Download size of SSL Network Extender < 400K; after installation, size of
SSL Network Extender on disk is approximately 650K.
• All Security Gateway authentication schemes are supported: Authentication can be performed
using a certificate, Check Point password or external user databases, such as SecurID, LDAP,
RADIUS and so forth.
• At the end of the session, no information about the user or Security Gateway remains on the
client machine.
• Extensive logging capability, on the Security Gateway.
• High Availability Clusters and Failover are supported.
• SSL Network Extender Upgrade is supported.
• The SSL Network Extender supports the RC4 encryption method.
• Users can authenticate using certificates issued by any trusted CA that is defined as such by
the system administrator in SmartDashboard.
• SSL Network Extender is now supported on IPSO.
• Endpoint Security on Demand prevents threats posed by Malware types, such as Worms,
Trojan horses, Hacker's tools, Key loggers, Browser plug-ins, Adware, Third party cookies, and
so forth.
• SSL Network Extender can be configured to work in Hub Mode. VPN routing for remote access
clients is enabled via Hub Mode. In Hub mode, all traffic is directed through a central Hub.
Server-Side Configuration
The SSL Network Extender requires only server side configuration
Configure each Security Gateway that uses SSL Network Extender. When the Mobile Access
Software Blade is enabled, SSL Network Extender is enabled as a Web client.
3. Select the user authentication method, employed by the SSL Network Extender, from the
drop-down list. The options are:
• Certificate - The system authenticates the user only with a certificate.
• Certificate with enrollment - The system authenticates the user only with a certificate.
Enrollment is allowed.
If the users do not have a certificate, they can enroll using a registration key that they
previously received from the administrator.
• Legacy - (Default setting) The system authenticates the user with the Username and
Password.
• Mixed - The system tries to authenticate the user with the certificate. If the user does not
have a valid certificate, the system tries to authenticate the user with the Username and
Password.
5. Select the supported encryption method from the drop-down list. The options are:
• 3DES only: (Default) The SSL Network Extender client supports 3DES, only.
• 3DES or RC4: The SSL Network Extender client supports the RC4 encryption method, as
well as 3DES.
6. You can determine whether the SSL Network Extender will be uninstalled automatically, when
the user disconnects. Select the desired option from the drop-down list. The options are:
• Keep installed: (Default) Do not uninstall. If the user wishes to uninstall the SSL Network
Extender, he/she can do so manually.
• Ask user whether to uninstall: Ask user whether or not to uninstall, when the user
disconnects.
• Force uninstall: Always uninstall automatically, when the user disconnects.
For a description of the user disconnect experience, refer to Uninstall on Disconnect (on page
148).
Note - The Uninstall on Disconnect feature will not ask the user whether or not to uninstall,
and will not uninstall the SSL Network Extender, if a user has entered a suspend/hibernate
state, while he/she was connected.
7. You can determine whether Endpoint Security on Demand will be activated, or not. When ESOD
is activated, users attempting to connect to the SSL Network Extender will be required to
successfully undergo an ESOD scan before being allowed to access the SSL Network
Extender. Select the desired option from the drop-down list. The options are:
• None
• Endpoint Security on Demand
Upgrading ESOD
Note - At present, the Dynamic ESOD Update feature is not supported.
Note - Make sure that Endpoint Security on Demand is enabled in the Global
Properties > Remote Access > SSL Network Extender page.
Disabling a Skin
1. Enter the specific skin subdirectory, under custom, that is to be disabled and create a file
named disable. This file may be empty.
2. If the specific skin does not exist under custom, create it and then create a file within it named
disable.
3. Install Policy. The next time that the user connects to the SSL Network Extender portal, this
skin will not be available to him/her.
Example
cd $FWDIR/conf/extender/skin/custom
mkdir skin1
touch disable
Creating a Skin
1. Enter the custom subdirectory.
2. Create a folder with the desired skin name.
Note - Verify that this name is not already used in chkp. If it is, the new skin definition will
override the existing skin definition (as long as the new skin definition exists). Once you have
deleted the new skin definition, the chkp skin definition will once again be used.
Each skin folder must contain the following five style sheets:
• help_data.css: The main OLH page uses this style sheet.
• help.css: The inner frame on the OLH page uses this style sheet.
• index.css: The ESOD pages, and the main SSL Network Extender portal page use this
style sheet.
• style.css: All login pages use this style sheet.
• style_main.css: The main SSL Network Extender Connection page, Proxy
Authentication page and Certificate Registration page use this style sheet.
Note - It is recommended that you copy the aforementioned files from another chkp skin, and
then modify them as desired.
3. Install Policy after creating the new skin.
Example
Add your company logo to the main SSL Network Extender portal page.
cd $FWDIR/conf/extender/skin/custom
mkdir <skin_name>
cd <skin_name>
copy ../../chkp/skin2/* .
• custom: contains languages defined by the customer. If custom does not exist yet, create it.
At upgrade, this subdirectory is not overwritten. New languages are added in this subdirectory.
Disabling a Language
1. Enter the specific language subdirectory, under custom, that is to be disabled (if it exists) and
create a file named disable. This file may be empty.
2. If the specific language does not exist under custom, create it and then create a file within it
named disable.
3. Install Policy. The next time that the user connects to the SSL Network Extender portal, this
language will not be available to him/her.
Adding a Language
1. Enter the custom subdirectory.
2. Create a folder with the desired language name.
Note - Verify that this name is not already used in chkp. If it is, the new language definition will
override the existing language definition (as long as the new language definition exists). Once
you have deleted the new language definition, the chkp language definition will once again be
used.
3. Copy the messages.js file of an existing chkp language to this folder.
4. Edit the messages.js file and translate the text bracketed by quotation marks.
5. Save.
6. Install Policy after adding the new language.
Example
cd $FWDIR/conf/extender/language
mkdir custom
cd custom
mkdir <language_name>
cd <language_name>
copy ../../chkp/english/messages.js
Edit the messages.js file and translate the text bracketed by quotation marks.
Save.
In custom/english/messages.js, add a line as follows:
<language_name>="translation of language_name";
Install Policy.
Modifying a Language
1. Enter the custom subdirectory.
2. Create a folder with a language name that matches the chkp language folder to be modified.
3. Create an empty messages.js file, and insert only those messages that you want to modify,
in the following format:
<variable_name>="<desired text>";
The SSL Network Extender can use ActiveX control in its applications. To use ActiveX you must
download the specific ActiveX components required for each application. Once these components
are loaded, you do not need to download them again unless upgrades or updates become
available. If you do not want to use an ActiveX component you may work with a Java Applet.
Once the user has confirmed the ESOD server, an automatic software scan takes place on the
client's machine. Upon completion, the scan results and directions on how to proceed are
displayed as shown below.
ESOD not only prevents users with potentially harmful software from accessing your network,
but also requires that they conform to the corporate Anti-Virus and firewall policies, as well. A
user is defined as having successfully passed the ESOD scan only if he/she successfully
undergoes scans for Malware, Anti-Virus, and Firewall. Each malware is displayed as a link,
which, if selected, redirects you to a data sheet describing the detected malware. The data
sheet includes the name and a short description of the detected malware, what it does, and the
recommended removal method/s.
The options available to the user are configured by the administrator on the ESOD server. The
options are listed in the following table:
Scan Option Description
Scan Again Allows a user to rescan for malware. This option is used in order to
get refreshed scan results, after manually removing an undesired
software item.
Cancel Prevents the user from proceeding with the portal login, and closes
the current browser window.
Continue Causes the ESOD for Mobile Access client to disregard the scan
results and proceed with the log on process.
Importing a Client Certificate with the Microsoft Certificate Import Wizard to Internet
Explorer
Importing a client certificate to Internet Explorer is acceptable for allowing access to either a
home PC with broadband access, or a corporate laptop with a dial-up connection. The client
certificate will be automatically used by the browser, when connecting to an SSL Network
Extender Security Gateway.
11. If you are connected with Windows Vista, a Windows Firewall message will appear. Click
Unblock.
You may work with the client as long as the SSL Network Extender Connection window, shown
below, remains open, or minimized (to the System tray).
Once the SSL Network Extender is initially installed, a new Windows service named Check
Point SSL Network Extender and a new virtual network adapter are added. This new network
adapter can be seen by typing ipconfig /all from the Command line.
Note - The settings of the adapter and the service must not be changed. IP assignment,
renewal and release will be done automatically.
Note - The Check Point SSL Network Extender service is dependent on both the virtual
network adapter and the DHCP client service. Therefore, the DHCP client service must not be
disabled on the user's computer.
Both the virtual network adapter and the Check Point SSL Network Extender service are
removed during the product uninstall.
There is no need to reboot the client machine after the installation, upgrade, or uninstall of the
product.
12. When you finish working, click Disconnect to terminate the session, or when the window is
minimized, right-click the icon and click Disconnect. The window closes.
Uninstall on Disconnect
If the administrator has configured Uninstall on Disconnect to ask the user whether or not to
uninstall, the user can configure Uninstall on Disconnect as follows.
Java
1. When connecting for the first time, the SSL Network Extender installation archive package is
downloaded.
This process is similar to the Windows Java installation.
2. If the user does not have root permissions, the user is prompted to enter a root password in
order to install the package. Enter the password and press Enter.
After the installation is finished, the applet will try to connect.
If it is the first time, the following window is displayed:
If the system Administrator has sent the user a fingerprint, it is strongly recommended that
the user verify that the server certificate fingerprint is identical to the Root CA Fingerprint
seen in the window.
3. Click Yes to confirm.
Command Line
To download the SSL Network Extender installation archive package:
1. In the Network Applications Settings window, click on click here in the sentence For Linux
command line SSL Network Extender installation click here. The Shell archive package is
downloaded to the users home directory.
Before running the installation script, make sure execute permissions are available on the file.
Use the command chmod + x snx_install.sh to add execution permissions.
2. Download and select the SSL Network Extender manual installation.
• Download MSI installation package for Windows
• Download command line SSL Network Extender for Linux
• Download command line SSL Network Extender for Macintosh
3. Select the operating system.
The Shell archive package is downloaded to the user's home directory.
4. Run snx_install.sh.
If the user does not have root permissions, the user is prompted to enter a root password in
order to install the package. Enter the password and press Enter.
To disconnect after installation, run Server_1:/ snx -d.
Attributes Description
snx -f <configuration file> Run SSL Network Extender using parameters defined in a
configuration file other than the default name or location.
Attributes Description
snx -c <certificate file> Specify which certificate is used to authenticate.
snx -l <CA directory> Define the directory where CA's certificates are stored.
snx -p <port> Change the HTTPS port. (default port is TCP 443).
snx -e <cipher> Force a specific encryption algorithm. Valid values - RC4 and
3DES.
Attributes Description
server Change the HTTPS port. (default port is TCP 443).
Note - Proxy information can only be configured in the configuration file and not directly
from the command line.
ESOD Issues
1. User did not pass the scan (a 'Continue' button is not displayed).
The user probably did not match the policy requirements.
• If using "ESOD per User Group" feature – Verify that the user is using the correct policy.
• According to the policy, Explain the user how to remove the elements that are blocking
him.
2. User cannot access the given URL for his specific group.
• Make sure that the group listed in the URL is listed in the ics.group file, with the correct
xml file.
• Make sure that the xml file that is assigned to the group exists in $FWDIR/conf/extender.
• Make sure Install Policy has been made since the ics.group file has changes.
3. User has passed the ESOD scan, but gets a "Wrong ESOD Scan" error when trying to
connect.
This means that the user has passed the scan intended for a group that he does not belong to.
• Verify that the user is using the correct URL.
• Look at the Logs tab in the SmartConsole Logs & Monitor view. The log should state which
xml file the user used for the scan.
• Make sure that this file is the same as the user's group file. If not, direct the user to the
correct URL.
Item Description
1 Server
2 Security Gateway
3 Internet
4 Router
5 Remote Client
Hide NAT not only changes the IP header but also the port information contained in the UDP
header. For example, if the UDP packet is too long, the remote client fragments the packet. The
first fragment consists of the IP header plus the UDP header and some portion of the data. The
second fragment consists of only the IP header and the second data fragment. The NATing device
does not know how to wait for all the fragments, reassemble and NAT them.
When the first fragment arrives, the NAT device successfully translates the address information in
the IP header, and port information in the UDP header and forwards the packet. When the second
fragment arrives, the NATing device cannot translate the port information because the second
packet does not contain a UDP header; the packet is dropped. The IKE negotiation fails.
Note - If the VPN peers authenticate each other using pre-shared secrets, large UDP
packets are not created; however, certificates are more secure, and thus
recommended.
During IPsec
NAT Traversal (UDP Encapsulation for Firewalls and Proxies)
Having successfully negotiated IKE phases I and II, we move into the IPsec stage. Data payloads
encrypted with AES and SHA, for example, are placed within an IPsec packet. However, this IPsec
packet no longer contains a TCP or UDP header. A hide NAT device needs to translate the port
information inside the header. The TCP/UDP header has been encrypted along with the data
payload and can no longer be read by the NATing device.
A port number needs to be added. UDP Encapsulation is a process that adds a special UDP header
that contains readable port information to the IPsec packet.
Note - From the system administrator perspective, there is nothing to configure for
PMTU; the IPsec PMTU discovery mechanism, both active and passive, runs
automatically.
Item Description
1 LAN
2 Internal Switch
4 External Switch
5 Internet
6 NATing Device
For the connection to survive a failover between cluster members, the "keep alive" feature must
be enabled in Global Properties > Remote Access > Enable Back connections from gateway to
client
This is also true if the NATing is performed on the Security Gateway cluster side.
Visitor Mode
Visitor Mode tunnels all client-to-gateway communication through a regular TCP connection on
port 443.
Item Description
1 Host Server
3 Internet
4 Non-Check Point peer gateway that works with Visitor Mode to allow traffic to the
client
All required VPN connectivity between the Client and the Server is tunneled inside this TCP
connection. This means that the peer Security Gateway needs to run a Visitor Mode (TCP) server
on port 443.
Number of Users
To obtain optimal performance of the Visitor Mode server:
• Minimize the number of users allowed Visitor Mode if performance degrades
• Increase the number of sockets available on the OS by editing the appropriate values, for
example the socket descriptor on Linux systems
Note - All partner Security Gateways must agree on the same allocated port, since the
visitor Mode server on the peer gateway will be listening on only one port.
Item Description
1 TCP Server
2 Security Gateway
3 Internet
On the Security Gateway object running the Visitor Mode server, General Properties > Remote
Access page > there is a setting for Allocated IP address. All the available IP addresses can be
configured to listen on port 443 for Visitor Mode connections.
Interface Resolution
For interface resolution in a Visitor Mode environment, it is recommended to use static IP
resolution or dedicate a single interface for Visitor Mode.